Status: June 1, 2025
1. Responsible Party
SelectCode GmbH
Oskar-vonMiller-Straße 11
82008 Unterhaching
Germany
Contact:
Email: datenschutz@meingpt.com
Telephone: +49 89 54198646
Website: https://meingpt.com
Management: Florian Baader, Reiner Conrad
Data Protection Officer:
heyData GmbH
Schützenstr. 5
10117 Berlin
Email: datenschutz@heydata.eu
Competent Supervisory Authority:
Bavarian State Office for Data Protection Supervision (BayLDA)
Promenade 18
91522 Ansbach
2. Overview of Processing
This privacy policy informs you about the nature, scope and purpose of the processing of personal data when using our B2B AI platform meinGPT.
Important note for corporate customers: As an administrator, you are responsible for ensuring that data is used in accordance with data protection regulations within your organisation, particularly when processing employee data. A data protection impact assessment (DPIA) may be required.
Types of Data Processed
- Inventory data (names, company addresses, commercial register data)
- Contact details (business email, telephone numbers)
- Content data (AI chat entries, uploaded documents, API requests)
- Usage data (access times, function usage, API calls)
- Meta/communication data (IP addresses, browser information)
- Contract data (subject matter of the contract, term, licence model)
- Payment data (billing address, payment history via Stripe)
- Employee metadata (aggregated usage statistics, never content)
- Newsletter/webinar data (registrations, participation lists)
Data Subjects
- Administrators and main contact persons of customer companies
- End users (employees of our business customers)
- API users and developers
- Newsletter subscribers
- Webinar participants
- Website visitors
3. Legal Bases
The processing of personal data is based on the following legal bases:
- Art. 6(1)(b) GDPR: Contract performance and pre-contractual enquiries
- Art. 6(1)(f) GDPR: Legitimate interests (e.g. IT security, fraud prevention)
- Art. 6(1)(a) GDPR: Consent (for optional functions)
- Art. 6(1)(c) GDPR: Legal obligations
4. Purposes of Data Processing
4.1 Provision of the meinGPT Platform
Processed data:
- Registration data (name, email, company)
- Login data
- Chat histories and AI interactions
- Uploaded files and documents
Purpose:
- Provision of AI services
- Storage of chat histories
- Document processing
- Workflow automation
Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
Storage period:
- Chat histories: 12 months after last activity
- Uploaded documents: 12 months after upload
- Automatic deletion after expiry
4.2 User Management and Authentication
Processed data:
- Email address
- Password (encrypted)
- IP address upon login
- Session data
Purpose:
- Secure authentication
- Management of access rights
- Multi-factor authentication
Legal basis: Art. 6(1)(b) GDPR
Storage period:
- During the contract period
- 30 days after the end of the contract (waiting period)
- After that, complete deletion
4.3 Billing and Payment Processing
Processed data:
- Company data and billing address
- Contact person for invoices
- Payment history
- Credit consumption and usage volume
- Transaction data via Stripe
Purpose:
- Billing for services used
- Accounting and tax returns
- Credit checks for large customers
- Fraud prevention
Legal basis:
- Art. 6(1)(b) GDPR (performance of a contract)
- Art. 6(1)(c) GDPR (legal obligation)
- Art. 6(1)(f) GDPR (legitimate interests for fraud prevention)
Storage period: 10 years in accordance with § 147 AO and § 257 HGB
4.4 Employee Usage Analyses (B2B)
⚠️ ATTENTION Data protection risk: The processing of employee usage data is highly sensitive in terms of data protection law. Administrators must establish their own legal basis (e.g. works agreement) before activating these functions.
Processed data:
- Aggregated usage statistics (number of chats, token consumption)
- Workflow usage per department
- NO chat content or individual evaluations
- Anonymised performance indicators
Purpose:
- Licence management for corporate customers
- Departmental usage overview
- ROI analyses for AI use
Legal basis:
- Art. 6(1)(b) GDPR (contract fulfilment with companies)
- Art. 88 GDPR in conjunction with § 26 BDSG (employee data protection – responsibility of the customer)
Storage period:
- Maximum 6 months
- Automatic deletion of older data
- Only aggregated data, no individual evaluations
Data protection guarantees:
- No individual evaluations possible
- Minimum group size of 5 persons
- Opt-out option for companies
- Privacy by default: Function is deactivated by default
5. Recipients and Categories of Recipients
5.1 AI Model Providers
Depending on the selected data protection level, your data will be transferred to the following categories of providers:
Level 1 - EU Only:
- Exclusively EU providers (e.g. Mistral AI, Aleph Alpha)
- No data transfer outside the EU
Level 2 - EU Hosting:
- Providers with servers in the EU
- Including EU subsidiaries of US corporations (e.g. Microsoft Azure)
Level 3 - Worldwide with DPF:
- Additionally, US providers with Data Privacy Framework certification
- OpenAI, Anthropic, Google, Microsoft Azure
Level 4 - Worldwide + PII Filter:
- All providers with automatic filtering of personal data
You can find the specific list of providers for your selected level in your data processing agreement (DPA).
5.2 Infrastructure Service Provider
Hetzner Online GmbH (hosting, Germany)
- Purpose: Server hosting, databases, storage
- Legal basis: Art. 6(1)(b) GDPR
- Server location: Germany (Nuremberg, Falkenstein)
- ISO 27001 certified
5.3 Other Service Providers
DPO note: Current data processing agreements must be in place for all of the following service providers. DPF certification must be checked for US providers.
Payment Processing
Stripe (USA/Ireland)
- Purpose: Payment processing, invoicing
- Legal basis: Art. 6(1)(b) GDPR
- Third country transfer: ✅ EU branch (Stripe Technology Europe Ltd., Dublin)
- Protective measures: EU data processing possible, DPF certified
Support & Helpdesk
ProductLane GmbH (Germany) ✅
- Purpose: Customer service, support tickets
- Legal basis: Art. 6(1)(b) GDPR
- Headquarters: Munich, Germany
- EU data processing: Guaranteed
Forms & Surveys
Tally (Belgium) ✅
- Purpose: Forms, surveys, registrations
- Legal basis: Art. 6(1)(f) GDPR
- EU data processing guaranteed
Webinars & Online Events
Microsoft Teams (USA/EU)
- Purpose: Webinar delivery
- Legal basis: Art. 6(1)(a) GDPR (Consent)
- Special feature: EU data centre available, but participant data may be processed in the USA
Integrations
Google Workspace (USA/EU)
Microsoft 365 (USA/EU)
- Purpose: Optional integrations that can be activated by customers
- Legal basis: Art. 6(1)(b) GDPR
- Note: Customers must have their own DPAs with these providers
6. Third Country Transfers
When using AI models outside the EU (Levels 3 and 4), data transfers to third countries are based on the following safeguards:
- EU-US Data Privacy Framework (for US providers)
- Standard contractual clauses of the European Commission
- Your explicit consent at Level 4
Despite protective measures, there is a residual risk with third country transfers, as the legal situation in third countries may differ from EU standards.
7. No Use for AI Training
Important guarantee: Your data will not be used by us or our processors for training AI models. This is contractually agreed with all providers.
8. Your Rights as a Data Subject
You have the following rights:
8.1 Right of Access (Art. 15 GDPR)
You can request information about your personal data processed by us.
8.2 Right to Rectification (Art. 16 GDPR)
You can request the rectification of inaccurate data or the completion of incomplete data.
8.3 Right to Erasure (Art. 17 GDPR)
You can request the erasure of your personal data ("right to be forgotten").
8.4 Right to Restriction of Processing (Art. 18 GDPR)
You can request the restriction of the processing of your data.
8.5 Data Portability (Art. 20 GDPR)
You have the right to receive your data in a structured, machine-readable format.
8.6 Right to Object (Art. 21 GDPR)
You may object to the processing of your data.
8.7 Right to Withdraw Consent
You may withdraw your consent at any time with effect for the future.
8.8 Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority.
How to exercise your rights:
- Self-service portal: https://app.meingpt.com/settings/privacy
- Alternatively: Email: datenschutz@heydata.eu
- Processing time: maximum 1 month
9. Cookies and Tracking
We only use technically necessary cookies:
Session cookies: To maintain your login
- Duration: Until you close your browser
- Purpose: Authentication
Preference cookies: For your settings (language, theme)
- Duration: 12 months
- Purpose: User experience
No tracking cookies: We do not use any analysis or marketing cookies.
10. Storage Periods at a Glance
Administrator-Controlled Retention (B2B)
Full control for your organisation: As a B2B platform, we enable your administrators to set retention periods themselves in accordance with your company policies, compliance requirements and business needs.
Available Retention Options
| Data Type | Admin Options | Default (if not configured) | Notes |
|---|---|---|---|
| Business Data | |||
| Chat histories & AI interactions | 30 days to unlimited | 12 months | Admin selectable by category |
| Uploaded documents | 30 days to unlimited | 12 months | Separate setting possible |
| Workflow data | 30 days to unlimited | 12 months | Dependent on business processes |
| Technical Data | |||
| API logs | 7-90 days | 30 days | For debugging & billing |
| Security logs (IP addresses) | 7-180 days | 90 days | Observe compliance requirements |
| Not Configurable | |||
| Invoice data | 10 years (legal) | - | § 147 AO, § 257 HGB |
| Contract data | 6 years after end | - | limitation periods |
| Account basic data | Contract term + 30 days | - | recovery period |
How Admin Control Works
- Global policies: Company-wide default settings
- Category-based: Different retention periods for different data types
- Department-specific: Optional different policies per department
- Compliance dashboard:
- Overview of all retention settings
- Warnings for unusually long retention periods
- Audit log of all changes
Legal Responsibility
Important for administrators: As an organisation, you are responsible for:
- Compliance with applicable data protection laws
- Setting appropriate retention periods
- Informing your employees about retention policies
- Regularly reviewing the necessity (especially for "unlimited")
Our shared responsibility model:
- Your organisation (controller): Determines the purposes and duration of data processing
- meinGPT (processor): Provides secure infrastructure and compliance tools
- Legal basis: Art. 28 GDPR – We act exclusively on your instructions
Recommendations by Industry
| Industry | Recommended Chat Retention | Justification |
|---|---|---|
| Financial services | 5–7 years | Regulatory requirements (MiFID II, etc.) |
| Healthcare | 3–10 years | Patient documentation, MDR |
| Public sector | 2-5 years | Archiving obligations |
| Tech/software | 6-18 months | Project cycles, support |
| Consulting | 2-5 years | Project documentation |
Additional Features
- ✅ Legal hold: Exclude data from deletion for legal proceedings
- ✅ Selective retention: Keep individual important chats/documents for longer
- ✅ Auto-archiving: Move older data to more cost-effective storage
- ✅ Deletion notifications: Optional 30 days before automatic deletion
- ✅ Data export: Complete export of your data at any time
Note: Employees can request the deletion of their personal data at any time, provided that there are no legal retention obligations or legitimate business interests that prevent this.
Technical Implementation of Deletion
- Immediate deletion: Upon request within 72 hours
- Automatic deletion: After expiry of the configured period
- Cascaded deletion: Including backups (max. 30 days)
- Deletion log: Proof of deletion for compliance
11. Data Security
We use extensive technical and organisational measures (TOMs):
- End-to-end encryption
- Regular security audits
- ISO 27001-compliant processes
- 24/7 monitoring
- Incident response team
Details can be found at: Technical and Organisational Measures
12. Newsletter and Marketing Communication
12.1 Newsletter Dispatch
Processed data:
- Email address
- Name and company
- Time of registration
- IP address at registration
- Opening and click behaviour
Legal basis: Art. 6(1)(a) GDPR (consent)
Double opt-in:
- Confirmation email required
- Logging of registration time
- Proof of consent is stored
Revocation: Each newsletter contains an unsubscribe link. Alternatively: Email to datenschutz@meingpt.com
Service provider: Loops (USA, standard contractual clauses)
12.2 Webinars
Processed data:
- Registration data (name, email, company)
- Participation data
- Chat contributions during the webinar
- If recorded: Image and sound (only with separate consent)
Legal basis:
- Participation: Art. 6(1)(b) GDPR
- Recording: Art. 6(1)(a) GDPR (separate consent)
Notes:
- Camera can be deactivated
- Recordings only with prior notice
- Deletion of participant data after 6 months
- Recordings are deleted after 3 months
13. API Services
Special features for API users:
- Extended logging periods for debugging (up to 30 days)
- Log rotation: Automatic deletion after 30 days
- Obligation to use in compliance with data protection
- Separate data processing agreement required
- Webhooks: Responsibility for recipient endpoints lies with the customer
14. Protection of Minors
Our B2B services are aimed exclusively at companies and their adult employees. Use by persons under the age of 18 is not permitted.
15. Changes to the Privacy Policy
We reserve the right to amend this privacy policy. The current version can always be found on our website. We will inform you by email in the event of significant changes.
16. Contact
If you have any questions about data protection, please contact:
Data Protection Officer:
heyData GmbH
Schützenstr. 5
10117 Berlin
Email: datenschutz@heydata.eu